CVE-2025-12810 Overview
CVE-2025-12810 is an Improper Authentication vulnerability (CWE-287) affecting Delinea Inc. Secret Server On-Prem, specifically within the RPC Password Rotation modules. The vulnerability occurs when a secret configured with "change password on check in" enabled automatically checks in even when the password change operation fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password stored in the system.
Critical Impact
This vulnerability can leave privileged credentials in an inconsistent state where the stored password no longer matches the actual password on the target system, potentially leading to service disruptions, failed authentication attempts, and security blind spots in credential management workflows.
Affected Products
- Delinea Secret Server On-Prem 11.8.1
- Delinea Secret Server On-Prem 11.9.6
- Delinea Secret Server On-Prem 11.9.25
Discovery Timeline
- 2026-01-27 - CVE CVE-2025-12810 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-12810
Vulnerability Analysis
This vulnerability stems from improper handling of password rotation failure scenarios in Delinea Secret Server's RPC Password Rotation modules. When an administrator configures a secret with the "change password on check in" option enabled, the system is designed to automatically rotate the credential when the secret is checked back in. However, a logic flaw causes the system to proceed with the check-in operation even when the password change operation has failed after exhausting all configured retry attempts.
The core issue is that the application does not properly validate the success state of the password rotation operation before transitioning the secret's state to "checked in." This creates a dangerous inconsistency between what the Secret Server believes the password to be and what the actual password is on the target system.
Root Cause
The root cause is an improper authentication state management flaw in the RPC Password Rotation workflow. The check-in logic fails to enforce a dependency between successful password rotation and the check-in state transition. Instead of keeping the secret in a "checked out" state when rotation fails (which would alert administrators to the problem), the system incorrectly completes the check-in, masking the failure condition.
Attack Vector
The vulnerability is exploitable over the network and requires low-privilege access to the Secret Server application. An attacker or malicious insider with the ability to trigger password rotation scenarios could potentially exploit this flaw to create credential inconsistencies. The vulnerability primarily impacts integrity and availability by leaving secrets in an unreliable state.
The attack scenario involves:
- A secret is checked out with "change password on check in" enabled
- Password rotation is triggered but fails (due to network issues, permission problems, or intentional interference)
- After retry limits are exhausted, the secret incorrectly checks in
- The stored password no longer matches the actual credential on the target system
- Subsequent attempts to use the secret fail, potentially causing service disruptions
The vulnerability mechanism involves improper state transition handling in the password rotation workflow. When a password change operation fails after reaching its retry limit, the system should maintain the secret in a checked-out state to preserve credential integrity and alert administrators. Instead, the flawed logic allows the check-in to complete regardless of the rotation outcome. For detailed technical information, refer to the Delinea Trust Resource.
Detection Methods for CVE-2025-12810
Indicators of Compromise
- Unexpected authentication failures when using secrets from Secret Server that previously worked correctly
- Secrets showing "checked in" status despite recent password rotation failures in audit logs
- Discrepancies between Secret Server stored passwords and actual target system credentials
- Elevated rates of password rotation retry failures followed by successful check-ins
Detection Strategies
- Monitor Secret Server audit logs for password rotation failures followed by automatic check-ins
- Implement alerting on secrets that transition to checked-in state after rotation retry limit exhaustion
- Configure external validation scripts to verify credential accuracy after check-in operations
- Review RPC Password Rotation module logs for error patterns indicating failed rotations
Monitoring Recommendations
- Enable verbose logging for the RPC Password Rotation modules to capture rotation failure details
- Set up monitoring dashboards to track password rotation success/failure ratios
- Implement automated credential validation checks that compare Secret Server passwords against target systems
- Configure alerts for any secrets that enter an inconsistent state
How to Mitigate CVE-2025-12810
Immediate Actions Required
- Upgrade Delinea Secret Server On-Prem to version 11.9.47 or later immediately
- Audit all secrets with "change password on check in" enabled to identify any in inconsistent states
- Manually verify credentials for any secrets that experienced rotation failures prior to patching
- Consider temporarily disabling automatic password rotation on check-in until the patch is applied
Patch Information
Delinea has released version 11.9.47 which addresses this vulnerability. In the patched version, the secret will correctly remain checked out when the password change fails, ensuring administrators are alerted to the issue and credential integrity is maintained. The fix ensures proper state management by enforcing a successful password rotation as a prerequisite for the check-in state transition.
For detailed release information, refer to the Delinea Release Notes 11.9 and the Delinea Trust Center.
Workarounds
- Disable "change password on check in" functionality on sensitive secrets until the patch is applied
- Implement manual password rotation procedures with verification steps as a temporary measure
- Configure monitoring to immediately alert on any password rotation failures
- Establish a process to manually verify and correct credentials after any failed rotation attempts
# Verification steps after patching
# Check current Secret Server version
# Navigate to: Admin > General > About
# Verify version shows 11.9.47 or later
# Review secrets with auto-rotation enabled
# Navigate to: Admin > Scripts > Password Rotation
# Audit all secrets with "change password on check in" enabled
# Manually verify credentials against target systems for any secrets
# that experienced rotation failures prior to patching
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
